Highlighted
Super Contributor.. Super Contributor..
Super Contributor..
1764 views

Forwarding CEF Events from a Logger to another Logger?

Jump to solution

Hi everybody,

How we can forward CEF events from a Logger to another Logger?

Thanks,

Lap

Never give up
0 Likes
1 Solution

Accepted Solutions
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Hello,

you could try following:

1) On source Logger configure UDP / TCP Forwarder:

2) On destination Logger configure UDP / TCP Receiver:
a) CEF UDP Receiver: UDP receivers that receive events in Common Event Format.
b) CEF TCP Receiver: TCP receivers that receive events in Common Event Format.

3) Example of UDP forwarder (aquired via traffic capture on Desination IP as I did not have 2nd Logger) event with unified query "deviceVendor = ArcSight":
CEF:0|ArcSight|Logger|L8152|memory:100|Platform Memory Usage|1| cat=/Monitor/Memory/Usage/Platform cn1=7669 cn1Label=MB Used cs2=CurrentValue cs2Label=timeframe dst=10.10.10.11 dvc=10.10.10.10 end=1509436539096 rt=1509436539096

4) Logger 6.50 Administrator's Guide:
https://community.microfocus.com/t5/Logger/Logger-6-50-Administrator-s-Guide/ta-p/1619132
a) page 368 -> receivers
b) page 397 -> forwarders

Regards,

Marijo

View solution in original post

5 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Hello,

you could try following:

1) On source Logger configure UDP / TCP Forwarder:

2) On destination Logger configure UDP / TCP Receiver:
a) CEF UDP Receiver: UDP receivers that receive events in Common Event Format.
b) CEF TCP Receiver: TCP receivers that receive events in Common Event Format.

3) Example of UDP forwarder (aquired via traffic capture on Desination IP as I did not have 2nd Logger) event with unified query "deviceVendor = ArcSight":
CEF:0|ArcSight|Logger|L8152|memory:100|Platform Memory Usage|1| cat=/Monitor/Memory/Usage/Platform cn1=7669 cn1Label=MB Used cs2=CurrentValue cs2Label=timeframe dst=10.10.10.11 dvc=10.10.10.10 end=1509436539096 rt=1509436539096

4) Logger 6.50 Administrator's Guide:
https://community.microfocus.com/t5/Logger/Logger-6-50-Administrator-s-Guide/ta-p/1619132
a) page 368 -> receivers
b) page 397 -> forwarders

Regards,

Marijo

View solution in original post

Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Hi,

Thank @Marijo Mandic, your answer is very clear. But I concern about information in CEF events, which are fields will changed when I configure to forward CEF events from source to destination Logger?

Lap

Never give up
0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

The source events are not changed during the forwaring process.

Keep in mind that a forwarder can not for the same EPS rate that the logger can ingest. Meaning that it should only be used for a subset of the events that are being feed into the logger.

Some folks do use this architectre as a filtering and routing function for event steams.

With he release of ADP and the Event Broker, the EB routing functions should be used for this instead. It has can handle a very high rate of event routing and filtering that a forwarding connector in the logger just can not do.

So please check into the Enterprise Broker found in the ADP plaform.

Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Thank you, @MajorW

Lap

Never give up
0 Likes
Highlighted
Regular Contributor.
Regular Contributor.

Hi,

Do you know if its possible to limit which CEF fields are sent over this type of forwarder?

Ideally I would only like to send a limited set of fields in order to manage bandwidth.

Thanks

Iain

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.